From 1e196181578a9f0af3ae71c9ebd243558c51d0a0 Mon Sep 17 00:00:00 2001 From: Gabriel Valcazar Date: Thu, 26 Aug 2021 18:13:04 +0200 Subject: [PATCH] linux-dey: add config fragment to enable SELinux configuration options These options should only be enabled when using SELinux, so apply them only when "selinux" is in the DISTRO_FEATURES. The fragment is a copy of the one in meta-selinux with the addition of DEFAULT_SECURITY_DAC and LSM. https://onedigi.atlassian.net/browse/DEL-7641 Signed-off-by: Gabriel Valcazar --- .../linux/linux-dey/selinux.cfg | 32 +++++++++++++++++++ .../linux/linux-dey_5.4.bbappend | 3 ++ 2 files changed, 35 insertions(+) create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-kernel/linux/linux-dey/selinux.cfg create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-kernel/linux/linux-dey_5.4.bbappend diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-kernel/linux/linux-dey/selinux.cfg b/meta-digi-dey/dynamic-layers/selinux/recipes-kernel/linux/linux-dey/selinux.cfg new file mode 100644 index 000000000..5799acbec --- /dev/null +++ b/meta-digi-dey/dynamic-layers/selinux/recipes-kernel/linux/linux-dey/selinux.cfg @@ -0,0 +1,32 @@ +.......................................................................... +. WARNING +. +. This file is a kernel configuration fragment, and not a full kernel +. configuration file. The final kernel configuration is made up of +. an assembly of processed fragments, each of which is designed to +. capture a specific part of the final configuration (e.g. platform +. configuration, feature configuration, and board specific hardware +. configuration). For more information on kernel configuration, please +. consult the product documentation. +. +.......................................................................... +CONFIG_AUDIT=y +CONFIG_NETWORK_SECMARK=y +CONFIG_EXT2_FS_SECURITY=y +CONFIG_EXT3_FS_SECURITY=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_JFS_SECURITY=y +CONFIG_REISERFS_FS_SECURITY=y +CONFIG_JFFS2_FS_SECURITY=y +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_SELINUX=y +CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_SECURITY_SELINUX_DISABLE=y +CONFIG_SECURITY_SELINUX_DEVELOP=y +CONFIG_SECURITY_SELINUX_AVC_STATS=y +CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 +CONFIG_AUDIT_GENERIC=y +CONFIG_DEFAULT_SECURITY_DAC=n +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-kernel/linux/linux-dey_5.4.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-kernel/linux/linux-dey_5.4.bbappend new file mode 100644 index 000000000..04f72532e --- /dev/null +++ b/meta-digi-dey/dynamic-layers/selinux/recipes-kernel/linux/linux-dey_5.4.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:" + +SRC_URI += " ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}"